mMerlin Posted June 28, 2014 Share Posted June 28, 2014 A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However .., Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too. That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these? Examples (with guid style suffixes removed) http:/ /bccdui.com http:/ /cottage-bb.com http:/ /banksville.net http:/ /dcdzine.com http:/ /escape-tour.com http:/ /fmuae.com http:/ /camcoomya.com Suggestions? Edited by SteveT (turetzsr) to break the URL links. Link to comment Share on other sites More sharing options...
petzl Posted June 28, 2014 Share Posted June 28, 2014 A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However .., Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too. That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these? Examples (with guid style suffixes removed) http:/ /bccdui.com http:/ /cottage-bb.com http:/ /banksville.net http:/ /dcdzine.com http:/ /escape-tour.com http:/ /fmuae.com http:/ /camcoomya.com Suggestions? Edited by SteveT (turetzsr) to break the URL links. Botnet static (joe job) The sites are suspicious but "innocent" http://www.spamcop.net/sc?id=z5911914157z8...46721665405a89z in notes I have a boiler plate to add to SpamCop report The bits in RED I added to my boilerplate 14.96.170.206 (Administrator of network where email originates) BOTNET ATTACK HOST http://cbl.abuseat.org/lookup.cgi?ip=14.96.170.206 BLOCK OUTBOUND PORT 25, RESERVE FOR LEGIT EMAIL SERVER CHANGE TO SECURE PASSWORD SCAN INFECTED COMPUTER FOR MALWARE http://spamcop.net/w3m?action=checkblock&ip=14.96.170.206 Other hosts in this "neighborhood" with spam reports 14.96.170.112 14.96.170.181 14.96.170.224 14.96.171.22 14.96.171.49 14.96.171.156 14.96.171.165 Link to comment Share on other sites More sharing options...
mMerlin Posted June 28, 2014 Author Share Posted June 28, 2014 Botnet static (joe job) The sites are suspicious but "innocent" Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare. I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful. Link to comment Share on other sites More sharing options...
petzl Posted June 28, 2014 Share Posted June 28, 2014 Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare. I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful. The sites I looked at are criminal. But don't believe they are "with" the botnet A while ago this botnet was framing a stolen credit card site/s could be a "loose cannon" gibbering? Link to comment Share on other sites More sharing options...
n4af Posted August 13, 2014 Share Posted August 13, 2014 It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here). Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here. Howie Link to comment Share on other sites More sharing options...
petzl Posted August 13, 2014 Share Posted August 13, 2014 It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here). Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here. Howie Not sure about "RIGHTSIDE.CO" OVH.CA are spam friendly help if you include a SpamCop track to get better advice OVH have a report site here but I find it not helping http://www.ovh.com/fr/support/documents_le...nu_illicite.cgi If it is a porn site spam I include this boiler text makes OVH complacent in Child Porn Child porn spammer pictures under 18 or made to look under 18 PORN SPAMMER uses hacked web and email accounts Change log-on to a more secure password! Scan for Malware! Link to comment Share on other sites More sharing options...
hank Posted May 10, 2017 Share Posted May 10, 2017 very, very tired of Cloudflare spam. Cloudflare was in the news recently for disclosing to alt-right sites the identity of people who complained about the nazi-type stuff they send out through Cloudflare. https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web This is one example why Spamcop ought to be working to do better at removing all the personal identification material including the unique tracking strings the spammers use, to protect people who complain. Link to comment Share on other sites More sharing options...
Morg2 Posted June 2, 2017 Share Posted June 2, 2017 I note that Cloudflare has been a spam haven problem for years now. But just like Hank, I am very very tired of them. In the last 2 months almost all my spam (like, 20 a day) has come from Limestone Networks, and referenced stuff at Cloudflare. And weirdly, at least half of the clickbait subject lines are "Hitler's last words". Gee. Little did I know that they had Youtube back when Hitler died. And I sure don't know why anyone at all would be interested in what it go-pro'd on him. But apparently someobody thinks that this line will be the one that causes people to give away their identities to some internet criminal. Link to comment Share on other sites More sharing options...
groupboard Posted June 4, 2017 Share Posted June 4, 2017 It seems to have suddenly become a major problem in the last week or so. Now about 90% of our spam is hosted through cloudflare. Reporting the spams doesn't help -- the domains are never removed from cloudflare. Cloudflare themselves don't really seem to give a crap...lots of people complaining to them on twitter, but they don't seem to care. They just say they're not hosting it, and direct people to report it via the web form (which they then just ignore). I just implemented a change to our spam filter yesterday, which has completely resolved the issue: I now block all emails coming from domains registered less than 7 days ago. (I don't specifically check for hosting on cloudflare, as this should kill spams from elsewhere as well). If anyone wants the perl function, let me know. Link to comment Share on other sites More sharing options...
groupboard Posted October 2, 2017 Share Posted October 2, 2017 Cloudflare spam is a problem again, because the main spammer ("James Wilson") who is sending 99% of our inbound spam through cloudflare domains is now using older domains rather than day-old ones. The solution seems to be to put a 15 minute delay into our spam filter if it is a cloudflare-hosted domain ("whois $domain | grep -i cloudflare" returns 0). This gives the ip address time to show up on the various blacklists. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.